Firewall in MTA mode not sending out mails

Question

hi all,

since about a day, my firewall Home edition 18.5.2 is not sending out any mails anymore.

It seems it cannot connect to the smtp servers of the domains it tries to send to.

Oddly enough, I can telnet from the firewall advanced console into those mail servers, and sending from my Exchange server directly to internet works as well.

The original SMTP Firewall rule created when setting up MTA is obviously working.

Here is what I see in the smtpd_main.log for one such attempt:

25264 queue-runner forked for qrun-delivery: 25294 25294 postfork: qrun-delivery 25294 locking /sdisk/spool/output//db/retry.lockfile 25294 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25294 Considering: xxx.yyy@gmail.com 25294 unique = xxx.yyy@gmail.com 25294 xxx.yyy@gmail.com: queued for routing 25294 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25294 routing xxx.yyy@gmail.com 25294 --------> router_for_notifications router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking "condition" "${if and{{bool_lax{1}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"... 25294 router_for_notifications router skipped: condition failure 25294 --------> batv_redirect router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking domains 25294 batv_redirect router skipped: domains mismatch 25294 --------> static_route_hostlist_for_email router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"... 25294 static_route_hostlist_for_email router skipped: condition failure 25294 --------> static_route_hostlist router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking domains 25294 static_route_hostlist router skipped: domains mismatch 25294 --------> static_route_bymx_for_email router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"... 25294 static_route_bymx_for_email router skipped: condition failure 25294 --------> static_route_bymx router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking domains 25294 static_route_bymx router skipped: domains mismatch 25294 --------> static_route_bydns_for_email router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"... 25294 static_route_bydns_for_email router skipped: condition failure 25294 --------> static_route_bydns router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking domains 25294 static_route_bydns router skipped: domains mismatch 25294 --------> smart_host_route router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 checking domains 25294 checking "condition" "0"... 25294 smart_host_route router skipped: condition failure 25294 --------> default_mx_router router <-------- 25294 local_part=xxx.yyy domain=gmail.com 25294 calling default_mx_router router 25294 default_mx_router router called for xxx.yyy@gmail.com 25294 domain = gmail.com 25294 set transport remote_smtp 25294 queued for remote_smtp transport: local_part = xxx.yyy 25294 domain = gmail.com 25294 errors_to=NULL 25294 domain_data=NULL local_part_data=NULL 25294 routed by default_mx_router router 25294 envelope to: xxx.yyy@gmail.com 25294 transport: remote_smtp 25294 host gmail-smtp-in.l.google.com [2a00:1450:4013:c05::1b] MX=5 dnssec=no 25294 host gmail-smtp-in.l.google.com [108.177.126.27] MX=5 dnssec=no 25294 host alt1.gmail-smtp-in.l.google.com [2a00:1450:4010:c1c::1b] MX=10 dnssec=no 25294 host alt1.gmail-smtp-in.l.google.com [142.250.150.26] MX=10 dnssec=no 25294 host alt2.gmail-smtp-in.l.google.com [2404:6800:4003:c00::1a] MX=20 dnssec=no 25294 host alt2.gmail-smtp-in.l.google.com [74.125.200.27] MX=20 dnssec=no 25294 host alt3.gmail-smtp-in.l.google.com [2404:6800:4008:c13::1a] MX=30 dnssec=no 25294 host alt3.gmail-smtp-in.l.google.com [142.250.157.27] MX=30 dnssec=no 25294 host alt4.gmail-smtp-in.l.google.com [2607:f8b0:400e:c00::1b] MX=40 dnssec=no 25294 host alt4.gmail-smtp-in.l.google.com [173.194.202.27] MX=40 dnssec=no 25294 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25294 After routing: 25294 Local deliveries: 25294 Remote deliveries: 25294 xxx.yyy@gmail.com 25294 Failed addresses: 25294 Deferred addresses: 25294 qrun-delivery forking for transport 25294 qrun-delivery forked for transport: 25295 25294 LOG: MAIN 25294 == xxx.yyy@gmail.com R=default_mx_router T=remote_smtp defer (110): Connection timed out DT=15s 2022-02-22 16:24:24.290 [25294] cWjQdg-lLWts3-Y5 == xxx.yyy@gmail.com R=default_mx_router T=remote_smtp defer (110): Connection timed out DT=15s 25294 locking /sdisk/spool/output//db/retry.lockfile 25294 >>>>>>>>>>>>>>>> Exim pid=25294 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>

The interesting part is now the transport:

25295 postfork: transport 25295 T: remote_smtp: for xxx.yyy@gmail.com 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 Relate with Firewall rule id: 39 25295 LOG: MAIN 25295 H=gmail-smtp-in.l.google.com [2a00:1450:4013:c05::1b]:25 Network is unreachable 2022-02-22 16:24:08.862 [25295] cWjQdg-lLWts3-Y5 H=gmail-smtp-in.l.google.com [2a00:1450:4013:c05::1b]:25 Network is unreachable 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 Relate with Firewall rule id: 39 25295 LOG: MAIN 25295 H=gmail-smtp-in.l.google.com [108.177.126.27]:25 Connection timed out 2022-02-22 16:24:24.288 [25295] cWjQdg-lLWts3-Y5 H=gmail-smtp-in.l.google.com [108.177.126.27]:25 Connection timed out 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/retry.lockfile 25295 locking /sdisk/spool/output//db/wait-remote_smtp.lockfile

Why is it not able to connect to that server 108.177.126.27? I can connect via telnet from the advanced console.
I havent done anything to the network config. Rebooting the device did not change anything.

This thread was automatically locked due to age.

emmosophos · Accepted Answer

Hello Edmund, 
 Thank you for contacting the Sophos Community. 
 Adding to what Luca mentioned, if after you have switch from MTA to Legacy and back and the issue persists. 
 You can run the script under /script/mail, and modify the old Firewall rule in your case 39 for the new one being used 
 # cd /scripts/mail 
 # perl replace_firewall_id.p1 39 1 
 Where 39 is your old Firewall rule, and 1 is the new SMTP rule, just verify what ID does the SMTP rule has. 
 Regards,

rfcat_vk · Answer

Hi, 
 you appear to be confusing rule ID and rule place in the action list. The rule ID on the lefthand side stays the same unless deleted, the rule place in the action list changes as you add and delete rules. So if you add a rule at the top you need to mvove the MTA rule to the top again. 
 Ian

Firewall in MTA mode not sending out mails

Top Replies